Security guidance for the Internet of Things

Embedded systems and connected devices are already deeply woven into the fabric of our lives, and the footprint is expanding at a staggering rate. Gartner estimates that 4.9 billion connected things were in use by the end of 2015, a 30% increase from 2014. This will rise to 25 billion by 2020 as consumer-facing applications drive volume growth, while enterprise sales account for the majority of revenue.

Security is a core need for manufacturers, developers, service providers and others who produce and use connected devices. Most of these – especially those used on the “Internet of Things” – rely on a complex web of embedded systems. Securing these systems is a major challenge, yet failure to do so can result in catastrophic consequences.

The prpl Foundation, an open source, community-driven, collaborative, non-profit foundation supporting the next gen connected devices industry, laid out its vision for a secure Internet of Things.

“Under the prpl Foundation, chip, system and service providers can come together on a common platform, architecture, APIs and standards, and benefit from a common and more secure open source approach,” said Cesare Garlati, prpl’s chief security strategist.

Security guidance

It proposes to engineer security into connected and embedded devices from the ground up, using three general areas of guidance. These are not the only areas that require attention, but they will help to establish a base of action as developers begin deal with security in earnest.

These areas include:

Addressing fundamental controls for securing devices. The core requirement, according to the document, is a trusted operating environment enabled via a secure boot process that is impervious to attack. This requires a root of trust forged in hardware, which establishes a chain of trust for all subsystems.

Using a Security by Separation approach. Security by Separation is a classic, time-tested approach to protecting computer systems and the data contained therein. The document focuses on embedded systems that can retain their security attributes even when connected to open networks. It is based on the use of logical separation created by hardware-enforced virtualization, and also supports technologies such as para-virtualization, hybrid virtualization and other methods.

Enforcing secure development and testing. Developers must provide an infrastructure that enables secure debug during product development and testing. Rather than allowing users to see an entire system while conducting hardware debug, the document proposes a secure system to maintain the separation of assets.

By embracing these initial areas of focus, stakeholders can take action to create secure operating environments in embedded devices by means of secure application programming interfaces (APIs). The APIs will create the glue to enable secure inter-process communications between disparate system-on-chip processors, software and applications. Open, secure APIs thus are at the centre of securing newer multi-tenant devices. In the document, the prpl Foundation offers guidance defining a framework for creating secure APIs to implement hardware-based security for embedded devices.